Name Current Setting Required Description
—- ————— ——– ———–
FILENAME no The filename to give the payload. (Leave Blank for Random)
PATH /webdav/ yes The path to attempt to upload
Proxies no Use a proxy chain
RHOST 192.168.235.1 yes The target address
RPASS xampp yes The Password to use for Authentication
RPORT 80 yes The target port
RUSER wampp yes The Username to use for Authentication
VHOST no HTTP server virtual host

Fimap is a little python tool which can find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It’s currently under heavy development but it’s usable.

The goal of fimap is to improve the quality and security of your website.

Do not use this tool on servers where you don’t have permission to pentest!

Fimap is a Local and Remote file inclusion auditing Tool (LFI/RFI).
Fimap is a little python tool which can find, prepare, audit, exploit and even google automatically for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection.

How to use:

fimap.py [Options]

[Options]

-h – Help

-u [URL] – URL to scan

-m – Mass scan

-l [ﬁlename] – List of URLs for mass scan

-g – Perform Google search to ﬁnd URLs

-q – Google search query

-H – Harvests a URL recursively for additional URLs to scan

-w [ﬁlename] – Write URL list for mass scan

-b – Enables blind testing where errors are not reported by the web application

Mutillidae Web App -Metasploitable 2 LFI/RFI Auditing

Mutillidae is a free, open source web application provided to allow security enthusiest to pen-test a web application. NOWASP (Mutillidae) can be installed on Linux, Windows XP, and Windows 7 using XAMMP making it easy for users who do not want to administrate a webserver. It is already installed on Samurai WTF and Rapid7 Metasploitable-2. The existing version can be updated on either. NOWASP (Mutillidae) contains dozens of vulns and hints to help the user; providing an easy-to-use web hacking environment deliberately designed to be used as a lab for security enthusiast, classrooms, labs, and vulnerability assessment tool targets. Mutillidae has been used in graduate security courses, in corporate web sec training courses, and as an „assess the assessor” target for vulnerability assessment software.

This information can be used to further exploit the vulnerable system either manually or with another tool. On the other hand,we can also use ﬁmap’s internal attack features by adding a “-x” parameter to the command line.

Metasploitable 2 – DVWA – Damn Vulnerable Web App

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and aid teachers/students to teach/learn web application security in a class room environment.

Security environment:

security environment

Remote File Inclusion (RFI) is a type of vulnerability most often found on websites. It allows an attacker to include a remote file, usually through a script on the web server. The vulnerability occurs due to the use of user-supplied input without proper validation.

PHP

In PHP the main cause is due to the use of unvalidated external variables such as $_GET, $_POST, $_COOKIE with a filesystem function. Most notable are the include and require statements. Most of the vulnerabilities can be attributed to novice programmers not being familiar with all of the capabilities of the PHP programming language. The PHP language has an allow_url_fopen directive, and if enabled it allows filesystem functions to use a URL which allows them to retrieve data from remote locations. An attacker will alter a variable that is passed to one of these functions to cause it to include malicious code from a remote resource. To mitigate this vulnerability, all user input needs to be validated before being used.